SRX

last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  full mesh VPN with Cisco ASA and SRX240 via st0

    Posted 07-28-2015 01:37

    Hi,

     

    I'm trying to configure a site-to-site VPN with full mesh, my side is a SRX240 cluster, the remote location uses Cisco ASA (not sure about the exact model, I don't have management access).

     

    We need to connect multiple networks on both sides and the examples [0] are unfortunately not working in our enviroment because they are based on FBF rules - the st0 interface doesn't support firewall filters.

     

    Network schema:


    10.0.0.0/24   10.1.0.0/24
           ||       ||
           LAN      LAN
           ||       ||
          -------------
          | Cisco ASA |
          -------------
                ||
                VPN
                ||
         -------------
         |  SRX 240  |
         -------------
         reth0     st0
          ||        ||
          LAN       VPN
          ||        ||
    10.2.0.0/24   10.3.0.0/24

     

    Any ideas how to roll out such a VPN structure? I'm quite sure it should be possible (routing instance voodoo?) but I'm not able to think anymore outside the box - any input is appreciated!

     

    Thanks, Renke

     

    [0] http://kb.juniper.net/InfoCenter/index?page=content&id=KB28861



  • 2.  RE: full mesh VPN with Cisco ASA and SRX240 via st0
    Best Answer

     
    Posted 07-28-2015 02:05

    Hello ,

     

    if you need full mesh , creat a route based VPN and confilgure traffic selectors  ( Starting from 12.1X46 )  . This will help you to have full mesh VPN .

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB28820



  • 3.  RE: full mesh VPN with Cisco ASA and SRX240 via st0

    Posted 07-28-2015 02:08

    Sam,

     

    thanks a lot - I will take a look at the release (the version used in our prod environment is 12.1.x44, though)

     

    Renke



  • 4.  RE: full mesh VPN with Cisco ASA and SRX240 via st0

     
    Posted 07-28-2015 02:41

    Hello ,

     

    Thanks , Keep us posted once you implement so that we can help if you run into any issue .



  • 5.  RE: full mesh VPN with Cisco ASA and SRX240 via st0

    Posted 11-16-2015 02:39

    Sam,

     

    sorry for the delay - only last week the Cisco guy was willing to reconfigure the VPN to my test setup with a 12.1X46 - it works great!

     

    Renke



  • 6.  RE: full mesh VPN with Cisco ASA and SRX240 via st0

    Posted 07-29-2015 02:10

    It has always been a real pain to configure VPN to ASA and traffic selectors made it a bit easier.

    Another option, if your Junos version does not support traffic selectors is to try to summurize the subnets as much as possible and then configure it as multple vpn statement with multiple subinterfaces, but keeping the gateway and policies, etc. the same, something like:

     

    	vpn vpn1.1 {
 	    bind-interface st0.1;
 	    ike {
 		gateway gw1;
 		proxy-identity {
 		    local 10.10.10.0/24;
 		    remote 192.168.1.0/24;
 		    }
 		    ipsec-policy policy1;
 		}
 	}

	vpn vpn1.2 {
 	    bind-interface st0.1;
 	    ike {
 		gateway gw1;
 		proxy-identity {
 		    local 10.10.11.0/24;
 		    remote 192.168.1.0/24;
 		    }
 		    ipsec-policy policy1;
 		}
 	}
 	vpn vpn1.2 {
 	    bind-interface st0.2;
 	    ike {
 		gateway gw1;
 		proxy-identity {
 		    local 10.10.12.0/24;
 		    remote 192.168.2.0/24;
 		    }
 		    ipsec-policy policy1;
 		}
 	}


  • 7.  RE: full mesh VPN with Cisco ASA and SRX240 via st0

     
    Posted 07-29-2015 05:02

    Hello ,

     

    Multiple IPSEC VPN instance  was the work around before traffic selectors to implement multiple subnet case behind the VPN firewalls . 

     

    Traffic selectors made it easier to setup .